Re: comments on the spin bit, in lieu of the mic line

Kazuho Oku <> Wed, 07 November 2018 01:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BA4DD12785F for <>; Tue, 6 Nov 2018 17:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KLgRzp1YyMGk for <>; Tue, 6 Nov 2018 17:44:46 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 00430127598 for <>; Tue, 6 Nov 2018 17:44:45 -0800 (PST)
Received: by with SMTP id i26so10353202lfc.0 for <>; Tue, 06 Nov 2018 17:44:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=XU/4+PkErauYrHFoi8PhazSdxh7AYUGi+76isNnl3HY=; b=S+NC3cIWx+dXw6dsNfzDLBPLfnJymr0ZaPfywK4yBNJ3jSEcuD4FVxoOZ5OKbE0W8Q N2CyTPZ+I5PANROYGsETu15ks5sUsfG1LIhHFE0EX0Jj3a8/ZKOqErVxMqdh+fabaQ3I Ji4YQ/+upoA7NCuYHnfuaxDA+zA14gtlWygfHYc/EvGXFgjpDorLKYbcN1r1BTbjwUFR kXiXBVfxVyfrwVBXLFh4HfWz9vOZFbVw3watbmnOG10LlMMDvshjvAiwYUvLwjJkfAZ9 B3JxYz4m8RSD/vHnhZjNxLcIsYvFDqGYukBQ2qX9LUK3bf5jGw0lmmCfxcvs6NVlnfIp EKTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=XU/4+PkErauYrHFoi8PhazSdxh7AYUGi+76isNnl3HY=; b=RpXcBh3qcHe7L/dwHLRIZiSVX+/bJRmnx7RgHVclF2KDyb+/JJwSfgewhDsjcAriaj sTJanCu+xaqcQP1CL8qxemw1pst0Z3uVeWMdLJCTeUNhFszqP+JIBIXWcf7NPJNLCl4T uAXjVPP45zhHoEdoMDtQLk/px/n46JmjwS36UehIf3yKWBCxB6EKcUl6BHnKbggZWcTK QVYDjbHr5fE63g7C+Y1/KM0jyohAESox9GTpOZlQWn88x5s4+P3P1/P48OxHwP0tBymb 57qEuFhp8TdojtyJcDn4IfPKqbhbbksRGRvGB7OzSxKu96j8TiY70KnWyg1/dM/LSkJ6 7bJQ==
X-Gm-Message-State: AGRZ1gKwf2EKOB1G1sP5baVB23P1+GAK1c1jDn0yw3p8onXlrmDXuP1y zp+YfdDPyQANCKdzawEyoEKWl32HtgqKml5CPgKF/g==
X-Google-Smtp-Source: AJdET5eXMpewjTDoTkWtNUv1OblM1b3mUnE9DMTbL55gR7BH6/LUCnnAL0zNHuCSF6jJ+U2x4uGLhiW5rfasJSHFEsc=
X-Received: by 2002:a19:d5:: with SMTP id 204mr15420222lfa.116.1541555083874; Tue, 06 Nov 2018 17:44:43 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Kazuho Oku <>
Date: Wed, 7 Nov 2018 08:44:32 +0700
Message-ID: <>
Subject: Re: comments on the spin bit, in lieu of the mic line
To: Ted Hardie <>
Cc: Brian Trammell <>, IETF QUIC WG <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Nov 2018 01:44:49 -0000

Ted, thank you for the response. My comments inline.

2018年11月7日(水) 8:15 Ted Hardie <>:
> Hi Kazuho,
> Some responses in-line.
> On Wed, Nov 7, 2018 at 6:58 AM Kazuho Oku <> wrote:
>> 2018年11月6日(火) 23:03 Brian Trammell (IETF) <>:
>> >
>> > Greetings, all,
>> >
>> > As I might not make it to tomorrow's discussion remotely, I wanted to go ahead and say a few things that I would say in the mic line. To the questions posed in the agenda:
>> >
>> >
>> > - Yes, we should consider only the 1-bit variant. The VEC protects the fidelity of the signal very well (indeed, well beyond the bounds of network conditions the transport will tolerate), but (1) Marcus' work in particular has shown that even in challenging network conditions, relatively simple heuristics at the observers can compensate for not having it, so (2) at the cost of two extra bits the marginal value is low.
>> >
>> > - Yes, the spin bit is clearly fit for purpose. I'll note we've done more research on this question than for any other single feature under consideration for inclusion in QUIC.
>> >
>> > - I am not at this time responsible for any sizeable deployment, so I can't speak directly to the third question. While I hope we'll hear from more implementers during the discussion tomorrow that they intend to implement, IMO even just a deployment from Microsoft would be sufficient to generate enough spinning flows to make deployment of observers useful.
>> >
>> > - The spin bit should be included in the specification. It provides the continued ability to measure RTT passively in a future world where TCP traffic is increasingly replaced by QUIC traffic, at negligible complexity cost, essentially zero runtime overhead, with negligible privacy impact, and what negligible impact it may have on privacy in certain corner cases can be easily mitigated.
>> >
>> > - As to requirement levels, I'd stick with my own recommendation from the earlier thread: client and server SHOULD implement, though server SHOULD is IMO marginally more important than client SHOULD.
>> >
>> >
>> > Now some details (presuming, of course, that the discussion gets that far):
>> >
>> > - In any case, both server and client SHOULD independently randomly disable spinning on some proportion of connections (1/8 to 1/16) to target a given proportion (1/4 to 1/8) of connections spinning, as in [section 4 of the author's copy of spin-exp]( This is to ensure that those endpoints that wish to opt out have a large anonymity set to hide in.
>> >
>> > - If we want to maintain the principle of linkability reduction across CIDs, then this non-spinning-state should be independent for each CID. In contrast to what's in section 4 of spin-exp, non-spinning spin bits shouldn't be set to zero, rather to a random value on a per-CID basis. This is easily recognizable by an observer in all cases (client/server participate/nonparticipate-1/nonparticipate-0), and reduces the risk of ossification around nonparticipant action. (This risk is small, to be sure, but we should not clamp a bit to a constant value, if only because we want the protocol's design to consistent.)
>> >
>> > - As to whether non-spinning should be negotiated (see [the appendix in the author's copy]( versus "discretionary", I was originally a fan of negotiation (as it provides a better-than-greasing way to exercise the version negotiation mechanism), but the rules for maintaining the principle of linkability reduction across CIDs become more complicated for negotiated spin, and the benefits for observers (i.e., that an observer can classify flows by version) become far less clear in the face of that linkability reduction. So I would lean toward the discretionary approach for the sake of simplicity -- we'll just have to exercise version negotiation by shipping version 2 soon after version 1. ;)
>> Brian, thank you for starting the discussion.
>> I’m attending, but let me respond here, because I would like to
>> “optimize to avoid” people using their brain to parse my broken
>> English expressed verbally :-)
>> If we are to adopt spin bit, my view is that the use MUST be negotiated.
>> It seemed to me that we agree to the fact that at least in extreme
>> cases (e.g. a client or a server behind a intercontinental VPN), there
>> is a privacy concern in exposing the spin.
> I pointed out that this privacy concern also exists for the handshake, and I did not see a response.  Did I miss a mitigation there, or do you agree that watching the handshake would also disclose this?

My response to that point is that exposing a RTT once (during
handshake) and exposing once per every RTT gives an observer a
different accuracy on what the exact latency is. While I agree that
there are other ways to observe RTT, having spin bits is likely to be
a good way to improve the accuracy from observer's point of view.

FWIW, I think I have pointed that out on, but
was not a response to you.

>> Assuming that is true, an endpoint cannot discretionary start exposing
>> spin bits, because it exposes to the observer who knows the location
>> of the endpoint (which is the common case) how far the peer is from
>> it's VPN gateway.
> While I don't personally see that this reveals any new data beyond the handshake data, I think making this discretionary handles this cases very well.  A local configuration that says not to spin when going out a tunnel interface eliminates this risk completely.  The large window of randomly disabled other flows means that this discretionary choice is not highlighted in the data.

My bad. I was confused with another option of a spin-bit design that
does not require a peer to coordinate. I agree that the current
mechanism requires the peer's cooperation to expose the RTT.

>> It might be true that negotiating the use makes implementations
>> slightly complex. But the complexity should not be used as a reason to
>> ignore privacy concerns, especially in case where the additional
>> complexity is small.
> I think the complexity of including a configuration option for "no spinning on tun0-like interfaces" is less than the negotiation complexity.  I would even support that being a default configuration, if that allays your concerns.

Yeah. That is exactly why I asked if there is a privacy concern for
client devices hiding behind a carrier-grade NAT.

Brian's response was that it is not a concern if the distance of the
hidden path is behind 3,000km, while Mike and Roland pointed out that
in case of a user on a roaming the distance could go well above that.

That makes me wonder how you can build a sensible mechanism to detect
when spin bit should be enabled / disabled. Do you have any
> best regards,
> Ted Hardie
>> >
>> > If I can't join, have fun tomorrow. Cheers,
>> >
>> > Brian
>> >
>> --
>> Kazuho Oku

Kazuho Oku